I was looking at the code, and I think it currently treats primary and secondary authentication failures the same right ? I'm wonder if with 2FA there will be a very different failure rate on the 2FA auth, and if we need different weight depending on the Authmanager plugin throwing it.

I don't think we will be able to determine that before hand, but maybe we should have some logging, which would allow us to evaluate the experience ?

I was looking at the code, and I think it currently treats primary and secondary authentication failures the same right ? I'm wonder if with 2FA there will be a very different failure rate on the 2FA auth, and if we need different weight depending on the Authmanager plugin throwing it.
I don't think we will be able to determine that before hand, but maybe we should have some logging, which would allow us to evaluate the experience ?

Yeah. Original this was written pre auth manager so secondary auth was not really a thing yet. That's a good point. Im not really sure what the correct answer is.